Blog | Digital Risk Protection

LastPass Bug Allowed Credentials to be Exposed

Written by Andre Luiz R. Silva | Oct 4, 2019 8:35:47 PM

Who protects the password keepers? On September 13th, popular password manager LastPass, a Google Chrome and Opera browser extension, announced that it had fixed a bug that had potentially exposed its users’ passwords. No victims have been reported, but the discovery of a bug even in a “password vault” is yet another important warning about the complexity of managing credential security.

 

Understanding the LastPass bug


Here, in short, is how a hypothetical data exposure might occur: a user would fill in his or her password with LastPass on some website. Then, while visiting a second, malicious site their password would be captured because the extension would be tricked into filling in the password that was previously used.

The problem was discovered on August 29th by Google Project Zero, an initiative focused on finding zero-day vulnerabilities (serious and urgent flaws that can be quietly exploited by hackers), which then warned LastPass.

In the official announcement, LastPass said that the bug has been fixed and that all of the manager’s extensions have already updated to version 4.33.0. But if you have disabled automatic updates, it’s obviously very important to check.

 

Password protection: A set of practices


The official statement from LastPass also advised users to step up best practices for security and protection while navigating. It’s no surprise that the first and foremost of these recommendations is to watch out for phishing. After all, it is these invalid or fake pages that lead to data capture in a case such as this.

And while having a password manager is highly recommended (and should not be overlooked!), it’s worth noting that other layers and forms of password protection are essential today. These recommendations were also suggested by LastPass itself.

So are other good protection techniques, such as using two-factor authentication (2FA) and, of course, being careful not to use the same password on more than one site. As we’ve already discussed here, it is through the practice of credential stuffing—the criminal use of so-called “checkers”—that criminals discover sites and applications where they can use leaked credentials. Some of these checkers test lists with millions of leaked credentials against hundreds of digital services, such as airlines, online retail, etc. 

 

Thinking beyond the user’s behavior


It is essential that human behavior be taken into account when evaluating ways to protect consumers from the varied—and increasingly sophisticated—online crimes. This is because cybercriminals are experts at using psychological resources, such as thesocial engineering associated with brand impersonation or misuse

Although this point is debatable, since cybercrime takes place outside the company environment, it’s understood that the company should be responsible for protecting its users whenever they believe they are interacting with its brand. 

Here's a practical and common example: A group of cybercriminals launch a massive attack to capture credentials and use a fake social network profile that uses your brand.

This event could be interpreted as a failure of the company to protect its digital presence, consequently leading to legal sanctions, such as those prescribed in the EU’s General Data Protection Regulation (GDPR) and similar legislation worldwide. Lest you think these regulations lack teeth, know that the GDPR imposed a multimillion-dollar fine on British Airways this year. 

Capital One, a US bank, was also the victim of major leak this year, affecting 106 million people. In this case, the fact that instructions on how to access the bug were seen on the GitHub repository—even before the discovery of the data—made it clear and public that the company was unable to monitor its digital footprint.

What does this say about a case like LastPass? That there is an intrinsic relationship between good application/code development and the monitoring of information that may expose sensitive data, which the company must protect. It seems obvious, but complete protection is essential. Risk management must address each of the many steps involved in an online criminal process.

 

Acting proactively in case of leaks

In fact, just speaking of password leaks can send chills up anyone’s spine. With that in mind, we suggest you check in with MyPwd to make sure your precious credentials have not been exposed.

The site has a data base composed of both large and small leaks—even microleaks, which tend to be more spontaneous and daily. The site uses security stripes to indicate which passwords have been leaked, and can also provide alerts in case of future occurrences. It’s also possible to check corporate credential leaks and the number of occurrences for the same domain.

And if you're interested in protecting your company's digital presence, you might also want to rely on robust forms of monitoring: Axur One offers 24/7 digital risk protection that uses thousands of bots and artificial intelligence techniques. Check out our solution for Customer credentials leakage, and Threat Intelligence to monitor criminal movements on the deep and dark web.